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(54) Encryption strength evaluation support apparatus and recording medium recording 
encryption strength evaluation support program 



(57) An encryption strength evaluation support 
apparatus includes a statistical data sampling program 
executing means for statistically obtaining correlations 
between individual bits of input and output data of an 
encryption device to be evaluated, a statistical result 
storage means for storing the bit correlations obtained 
by the statistical data sampling program executing 
means, and a statistical result edit/output means for 
editing and outputting the bit correlations stored in the 
statistical result storage means in the form of a table or 
a two- or three-dimensional graph. A mechanically 
readable recording medium recording an encryption 
strength evaluation support program for the above 
apparatus is also disclosed. 
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Description 

BACKGROUND OF THE INVENTION 
FIELD OF THE INVENTION 

[0001] The present invention relates to an encryption 
strength evaluation support apparatus suited to evaluat- 
ing the encryption strength of encryption device by 
using a statistical method and a mechanically readable 
recording medium recording an encryption strength 
evaluation support program. 

DESCRIPTION OF THE PRIOR ART 

[0002] Conventional techniques of evaluating the 
strength of encryption algorithm are roughly classified 
into those based on a specific decoding method and 
those based on statistical methods. 
[0003] Examples of the encryption strength evaluation 
based on a specific decoding method are "Method and 
Apparatus for Evaluating Strength of Encryption Algo- 
rithm" described in Japanese Unexamined Patent Pub- 
lication No. 8-190344 and "Encryption Performance 
Evaluation Apparatus" described in Japanese Unexam- 
ined Patent Publication No. 9-160489 similar to the 
former patent. Either technique evaluates the strength 
of encryption algorithm in terms of strength against lin- 
ear decoding for block encryption. That is, the former 
technique finds a linear approximate expression having 
a maximum deviation ratio obtainable from an encryp- 
tion algorithm whose strength is to be evaluated. On the 
basis of the result of this search, the strength of encryp- 
tion algorithm against linear decoding is evaluated. The 
latter technique attempts to improve the performance of 
evaluation by increasing linear correlation detection effi- 
ciency in linear decoding. Details of the linear decoding 
are described in Mitsuru Matsui ("DES Encryption Lin- 
ear Decoding method (1)", SCIS93-3C (Jan, 1993). 
[0004] On the other hand, the conventional encryption 
strength evaluation based on statistical methods is 
described in, e.g., "Encryption and Information Secu- 
rity" (March 29, 1990, Shokodo), "2.5 Ciphertext Ran- 
domness Evaluation Indices" (pp. 49 - 56). That is, this 
technique evaluates the encryption strength by using 
numerical values such as the maximum value, mean 
value, and variance of the correlation between input and 
output data. This reference also describes discrimina- 
tion between the strengths of a plurality of encryption 
algorithms by comparing these numerical values. 
[0005] The encryption strength evaluation based on a 
specific decoding method depends upon the specific 
decoding method called linear decoding. Therefore, this 
technique cannot evaluate in principle the strength of 
encryption algorithm to which this decoding method is 
not applicable, and hence lacks versatility. In contrast, 
the method of evaluating encryption strength by using a 
statistical method is highly versatile because the 



method does not depend upon any specific decoding 
method. 

[0006] Unfortunately, the conventional encryption 
strength evaluation technique based on a statistical 

5 method evaluates encryption strength by using numeri- 
cal values such as the maximum value, mean value, 
and variance of the correlation between input and out- 
put data. Since these values are representative values 
of a large number of sample values, this technique can- 

10 not finely analyze the behavior of encryption conver- 
sion. In some instances, evaluation errors may take 
place. 

SUMMARY OF THE INVENTION 

15 

[0007] The present invention has been made in con- 
sideration of the above situation and has as its object to 
provide an encryption strength evaluation support appa- 
ratus capable of evaluating encryption strength inde- 
nt? pendent of any specific decoding method and finely 
analyzing the behavior of encryption conversion, and a 
mechanically readable recording medium recording an 
encryption strength evaluation support program. 
[0008] It is another object of the present invention to 
25 provide an encryption strength evaluation support appa- 
ratus capable of easily analyzing the behavior of 
encryption conversion, and a mechanically readable 
recording medium recording an encryption strength 
evaluation support program. 
30 [0009] To achieve the above objects, according to the 
first aspect of the present invention, there is provided an 
encryption strength evaluation support apparatus com- 
prising statistical data sampling program executing 
means for statistically obtaining correlations between 
35 individual bits of input and output data of an encryption 
device to be evaluated, statistical result storage means 
for storing the bit correlations obtained by the statistical 
data sampling program executing means, and statistical 
result edit/output means for editing and outputting the 
40 bit correlations stored in the statistical result storage 
means in the form of a table or a two- or three-dimen- 
sional graph. 

[0010] In this encryption strength evaluation support 
apparatus, the statistical data sampling program execut- 

45 ing means statistically obtains correlations between 
individual bits of input and output data of an encryption 
device to be evaluated and stores the bit correlations in 
the statistical result storage means. The statistical result 
edit/output means edits and outputs the bit correlations 

so stored in the statistical result storage means in the form 
of a table of a two- or three-dimensional graph. Accord- 
ingly, it is possible to evaluate encryption strength inde- 
pendently of any specific decoding method and finely 
and easily analyze the behavior of encryption conver- 

55 sion. 

[001 1 ] According to the present invention, there is pro- 
vided an encryption strength evaluation support appara- 
tus further comprising, in addition to the arrangement of 
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the first aspect, evaluation object program forming 
means for forming an encryption program to be evalu- 
ated, wherein the statistical data sampling program exe- 
cuting means statistically obtains correlations between 
individual bits of input and output data of the evaluation 
object program formed by the evaluation object program 
forming means. This allows a single apparatus to design 
and evaluate an encryption algorithm and thereby 
improves the efficiency of development. 
[001 2] According to the present invention, there is pro- 
vided an encryption strength evaluation support appara- 
tus further comprising statistical program library means 
for holding, for each predetermined evaluation item, a 
statistical program for calculating data necessary to 
evaluate the evaluation item, and evaluation object data 
group generating means having evaluation object pro- 
gram forming means for forming an encryption program 
to be evaluated, evaluation condition setting means for 
setting evaluation conditions, and interface function set- 
ting means for setting an interface between the evalua- 
tion object program formed by the evaluation object 
program forming means and the statistical programs, 
the evaluation object data group generating means 
holding an evaluation object data group including the 
formed evaluation object program and the set evalua- 
tion conditions and interface, wherein the statistical data 
sampling program executing means comprises statisti- 
cal data sampling program generating/activating 
(restarting) means for generating a statistical data sam- 
pling program for statistically obtaining correlations 
between individual bits of input and output data of the 
evaluation object program from the evaluation object 
data group and the statistical programs in the statistical 
program library means. This allows a single apparatus 
to design an encryption algorithm and evaluate the 
algorithm by using the statistical programs previously 
held in the statistical program library means, thereby 
improving the efficiency of development. 
[001 3] According to the present invention, the statisti- 
cal program library means comprises a basic function 
library of basic functions such as addition, subtraction, 
and logical operations, and statistical program library 
generating means for generating a statistical program to 
be added to a statistical program library by using the 
basic functions of the basic function library. This allows 
the user to freely form any statistical program and per- 
form evaluation by using the program. 
[0014] According to the present invention, the statisti- 
cal data sampling program executing means comprises 
means for sequentially collecting statistical data for a 
plurality of evaluation items. Consequently, a plurality of 
evaluation items can be simultaneously evaluated. 
[001 5] According to the present invention, the statisti- 
cal data sampling program executing means has a func- 
tion of interrupting processing for an evaluation item 
currently being executed and processing the next evalu- 
ation item in accordance with an instruction from a user, 
and a function of restarting processing for the evalua- 



tion item interrupted in accordance with an instruction 
from the user. 

[0016] The encryption strength evaluation support 
apparatus of the present invention achieves the follow- 

s ing effects. 

[0017] Encryption strength can be evaluated inde- 
pendently of any specific decoding method because 
statistical evaluation is performed on the basis of the 
correlation between input and output data of an encryp- 

10 tion device. Therefore, even when the encryption algo- 
rithm is unknown, evaluation is possible if input and 
output data sequences of an encryption device are 
obtainable. To evaluate strength by a known plaintext 
amount necessary to conventional evaluation, e g., lin- 

15 ear decoding, a linear approximate expression of an 
encryption algorithm must be obtained beforehand. 
However, if the encryption algorithm is unknown, evalu- 
ation is impossible. For example, the present invention 
can evacuate the strength of encryption device having 

20 tamper resistance, but cannot use an evaluation 
method that depends upon linear decoding. 
[0018] The behavior of encryption conversion can be 
finely detected. This is because statistical data indicat- 
ing the correlations between individual bits of input and 

25 output data of an encryption device to be evaluated is 
edited and output in the form of a table or the like, so 
details of the individual bit correlations can be known. 
[0019] The behavior of encryption conversion can be 
easily detected. The reason for this is that statistical 

30 data indicating the correlations between individual hits 
of input and output data of an encryption device to be 
evaluated is edited and output in the form of a two- or 
three-dimensional graph, so the operator can intuitively 
recognize the data. 

35 [0020] The encryption strengths of a plurality of 
encryption devices can be easily compared. This rea- 
son is that statistical data indicating the correlations 
between individual bits of input and output data of a plu- 
rality of encryption devices are edited and compared in 

40 the form of the same table or graph, so the operator can 
compare details of the behaviors of these encryption 
devices. 

[0021] An encryption device can be efficiently 
designed for reasons explained below. That is, in the 

45 process of designing an encryption algorithm, the 
behaviors of the encryption algorithm before and after 
correction can be easily analyzed, and relative strength 
comparison is easy to perform. Additionally, the evalua- 
tion object program forming means can perform proc- 

50 esses from correction to evaluation of a program as a 
series of operations. 

[0022] The above and many other objects, features 
and advantages of the present invention will become 
manifest to those skilled in the art upon making refer- 
55 ence to the following detailed description and accompa- 
nying drawings in which preferred embodiments 
incorporating the principles of the present invention are 
shown by way of illustrative examples. 
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BRIEF DESCRIPTION OF THE DRAWINGS 
[0023] 

Fig. 1 is a block diagram showing the whole config- 
uration of one embodiment of the present invention; 
Fig. 2 is a block diagram showing the arrangement 
of an evaluation object data group generating 
means used in the embodiment of the present 
invention; 

Fig. 3 is a block diagram showing the arrangement 

of a statistical program library means used in the 

embodiment of the present invention; 

Fig. 4 is a block diagram showing the arrangement 

of a statistical data sampling program executing 

means used in the embodiment of the present 

invention; 

Fig. 5 is a block diagram showing the arrangement 
of a statistical result edit/output means used in the 
embodiment of the present invention; 
Fig. 6 is a flow chart showing the operation of a sta- 
tistical evaluation system control means used in the 
embodiment of the present invention; 
Fig. 7 is a flow chart showing the operation of a sta- 
tistical data sampling program operation monitoring 
means used in the embodiment of the present 
invention; 

Fig. 8 is a flow chart showing the operation of a sta- 
tistical data sampling program generating/activating 
(restarting) means used in the embodiment of the 
present invention; 

Fig. 9 is a flow chart showing the operation of a sta- 
tistical data sampling program interrupting/ending 
means used in the embodiment of the present 
invention; 

Fig. 10 is a flow chart showing the operation of a 
statistical data sampling program used in the 
embodiment of the present invention; 
Fig. 1 1 is a view showing an evaluation object pro- 
gram; 

Fig. 12 is a view showing evaluation conditions; 
Fig. 13 is a view showing settings of interface func- 
tions between an evaluation object program and 
statistical programs; 

Fig. 14 is a view showing the status of execution of 
the statistical data sampling program displayed on 
a display device; 

Fig. 15 is a view showing a table displayed when 

statistical data is edited and output; 

Fig. 16 is a view showing a "draw graph" dialogue 

box used to designate the type of graph; 

Figs. 1 7A to 1 7E are views showing different types 

of graphs displayed when statistical data is edited 

and output; and 

Fig. 18 is a block diagram showing the whole con- 
figuration of another embodiment of the present 
invention. 



DETAILED DESCRIPTION OF PREFERRED EMBOD- 
IMENTS 

[0024] Several preferred embodiments of the present 

5 invention will be described in detail below with reference 
to the accompanying drawings. 
[0025] Referring to Fig. 1 , an encryption strength eval- 
uation support apparatus according to one embodiment 
of the present invention includes an evaluation object 

10 data group generating means 101 , a statistical program 
library means 102, a statistical evaluation system con- 
trol means 103, a statistical data sampling program exe- 
cuting means 104, a statistical result edit/output means 
105, and a statistical result storage means 106. 

15 [0026] The statistical program library means 102 has 
a statistical program library which is a library of statisti- 
cal programs each for calculating data necessary to 
evaluate a corresponding predetermined evaluation 
item. This statistical program library means 102 also 

20 has a support function of allowing the evaluation opera- 
tor to form arbitrary statistical programs. Examples of 
the statistical evaluation items are bit balance, output bit 
correlation, input bit-output bit correlation, and ava- 
lanche (each item will be described in detail later). 

25 [0027] The evaluation object data group generating 
means 101 has an evaluation object data group contain- 
ing an evaluation object program whose encryption 
strength is to be evaluated, the evaluation conditions, 
and an interface between the evaluation object program 

30 and the statistical programs. The evaluation object data 
group generating means 101 also has a support func- 
tion of allowing the evaluation operator to form arbitrary 
encryption algorithms to be evaluated and evaluation 
conditions. 

35 [0028] The statistical data sampling program execut- 
ing means 104 receives an evaluation object data group 
from the evaluation object data group generating means 
101 and also receives statistical programs for calculat- 
ing data necessary to evaluate the evaluation items of 

40 the evaluation object data group from a statistical pro- 
gram library (303 in Fig. 3) of the statistical program 
library means 102. The statistical data sampling pro- 
gram executing means 104 has a function of generat- 
ing, from these input data group and statistical 

45 programs, a statistical data sampling program (406 in 
Fig. 4) for statistically calculating the correlation 
between each bit of input data and each bit of output 
data of an encryption algorithm to be evaluated, and 
executing the generated program. 

so [0029] The statistical result storage means 1 06 stores 
the statistical results of the correlations between individ- 
ual bits of the encryption algorithm input and output 
data sampled by the statistical data sampling program 
executing means 104. 

55 [0030] The statistical result edit/output means 105 
edits and outputs the bit correlations stored in the statis- 
tical result storage means 106 in the form of a table or a 
two- or three-dimensional graph. 
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[0031 ] The statistical evaluation system control means 
103 receives various instructions from the evaluation 
operator and controls the statistical data sampling pro- 
gram executing means 104 and the statistical result 
edit/output means 105 in accordance with the contents 
of these instructions. 

[0032] In the encryption strength evaluation support 
apparatus of this embodiment having the above config- 
uration, the evaluation operator prepares a statistical 
program library in the statistical program library means 
102 and also prepares an evaluation object data group, 
which describes a program to be evaluated, evaluation 
conditions such as items to be evaluated, and an inter- 
face between the evaluation object program and neces- 
sary statistical programs, in the evaluation object data 
group generating means 101. After that, the operator 
instructs the apparatus to sample statistical data. In 
accordance with the instruction from the statistical eval- 
uation system control means 103, the statistical data 
sampling program executing means 104 generates and 
executes a statistical data sampling program on the 
basis of the evaluation object data group and statistical 
program library. Consequently, the correlations between 
individual bits of input and output data of an encryption 
algorithm to be evaluated are statistically obtained and 
stored in the statistical result storage means 106. The 
operator then instructs the apparatus to edit and output 
the statistical results. In accordance with the instruction 
from the statistical evaluation system control means 
103, the statistical result edit/output means 105 edits 
and outputs the statistical results stored in the statistical 
result storage means 1 06 in the form of a table or a two- 
or three-dimensional graph. This allows the operator to 
finely and easily recognize the behavior of encryption 
conversion of the encryption algorithm to be evaluated. 
[0033] The arrangement and operation of each com- 
ponent of the encryption strength evaluation support 
apparatus of this embodiment will be described in detail 
below. 

[0034] Fig. 2 is a block diagram showing the arrange- 
ment of the evaluation object data group generating 
means 101. Fig. 3 is a block diagram showing the 
arrangement of the statistical program library means 
102. 

[0035] Referring first to Fig. 3, this statistical program 
library means 102 comprises a basic function library 
302, a statistical program library generating means 301 , 
and a statistical program library 303. The basic function 
library 302 is a library of basic functions, i.e., basic cal- 
culation functions such as addition, subtraction, logical 
operations, and mean calculations. The statistical pro- 
gram library generating means 301 provides the evalu- 
ation operator with a statistical program formation 
environment by using the basic functions prepared in 
the basic function library 302. The statistical program 
library 303 stores statistical programs generated by the 
statistical program library generating means 301. 
[0036] A statistical program generates, as evaluation 



data, input plaintext and a key to an encryption algo- 
rithm to be evaluated, calculates output ciphertext 
obtained when the evaluation data is input to the 
encryption algorithm, and also calculates statistical data 

5 from the evaluation data. A statistical program is pre- 
pared for each evaluation item. The contents of some 
representative evaluation items and the functions of sta- 
tistical programs necessary for these items will be 
described below. Assume that the evaluation object 

10 algorithm is F, the plaintext is M, the key is K, the output 
of the evaluation object algorithm is F (M,K), the input 
bit width is n, and the output bit width is m. 

O Avalanche evaluation: 

15 

[0037] Avalanche evaluation evaluates the effect a 
one-bit change in input data has on an output bit by fol- 
lowing, e.g., the procedure below. 

20 (1) Generate M by random numbers. 

(2) Calculate F(M,K). 

(3) Invert the ith bit of M by one bit to form data M-| . 

(4) Calculate F(M-|,K). 

(5) If the jth bit of F(M,K) xor F(Mj,K) is 0 or 1 , add - 
25 1 or 1, respectively, to an element Ay of a two- 
dimensional matrix A of n rows x m columns (xor; 
exclusive-OR). 

(6) Repeat (1) to (5) for large numbers of Ms and 
Ks. Consequently, each element of A stores [count 

30 of inversion - count of non-inversion] of a specific 
output bit when a specific input bit is inverted. This 
is avalanche data. 

[0038] Of the above procedure, an avalanche evalua- 
35 tion statistical program performs the processes of gen- 
erating large numbers of Ms and Ks by random 
numbers and updating A on the basis of the result of 
F(M,K) xor F(Mj,K). An evaluation object program per- 
forms the process of calculating F(M,K) and F(Mj,K). 
40 Note that passing on of evaluation data generated by 
the statistical program to the evaluation object program 
and passing on of data generated by the evaluation 
object program to the statistical program are performed 
in accordance with an interface between the evaluation 
45 object program and the statistical program in the evalu- 
ation object data group. This applies to each of the fol- 
lowing evaluation items. 

O Input bit-output bit correlation evaluation 

50 

[0039] Input bit-output bit correlation evaluation evalu- 
ates the correlation between each bit of input data and 
each bit of output data by following, e.g., the procedure 
below. 

55 

(1) Generate M by random numbers. 

(2) Calculate F(M,K). 

(3) Exclusive-OR each bit i of M and each bit j of 



20 



25 



50 



55 



5 



9 



EP 0 932 272 A2 



10 



F(M,K). If the operation result is 0 or 1 , add -1 or 1 , 
respectively, to an element Ay of a two-dimensional 
matrix A of n rows x m columns. 
(4) Repeat (1) to (3) for large numbers of Ms and 
Ks. Consequently, each element of A stores [count 5 
of mismatch - count of match] between a specific 
input bit and a specific output bit. This is input bit- 
output bit correlation data. 

[0040] Of the above procedure, an input bit-output bit 
correlation evaluation statistical program performs the 
processes of generating large numbers of Ms and Ks by 
random numbers and updating A by exclusive-ORing 
each bit of M and each bit of F(M,K). An evaluation 
object program performs the process of calculating 
F(M,K). 

O Output bit correlation evaluation 

[0041] Output bit correlation evaluation evaluates the 
correlation between individual bits of output data by fol- 
lowing, e.g., the procedure below. 

(1) Generate M by random numbers. 

(2) Calculate F(M,K). 

(3) Exclusive-OR each bit i of F(M,K) and another 
bit j of F(M,K). If the operation result is 0 or 1 , add - 
1 or 1, respectively, to an element Ay of a two- 
dimensional matrix A of n rows x m columns. 

(4) Repeat (1) to (3) for large numbers of Ms and 
Ks. Consequently, each element of A stores [count 
of mismatch - count of match] between two specific 
output bits. This is output bit correlation data. 

[0042] Of the above procedure, an output bit correla- 
tion evaluation statistical program performs the proc- 
esses of generating large numbers of Ms and Ks by 
random numbers and updating A by exclusive-ORing 
each bit i of F(M,K) and another bit j of F(M,K). An eval- 
uation object program performs the process of calculat- 
ing F(M,K). 

OBit balance evaluation 

[0043] Bit balance evaluation evaluates the frequen- 
cies of occurrence of 1 and 0 for each bit of output data 
by following, e.g., the procedure below. 

(1) Generate M by random numbers. 

(2) Calculate F(M,K). 

(3) If each bit i of F(M,K) is 0 or 1, add -1 or 1, 
respectively, to an element Bj of a one-dimensional 
matrix B of m rows. 

(4) Repeat (1) to (3) for large numbers of Ms and 
Ks. Consequently, each element of B stores [count 
of appearance of 1 - count of appearance of 0] of a 
specific output bit. This is bit balance data. 



[0044] Of the above procedure, a bit balance evalua- 
tion statistical program performs the processes of gen- 
erating large numbers of Ms and Ks by random 
numbers and updating B in accordance with the value of 
each bit of F(M,K). An evaluation object program per- 
forms the process of calculating F(M,K). 
[0045] The statistical program library generating 
means 301 for supporting the formation of the various 
statistical programs described above and the basic 
function library 302 can be realized by, e.g., Microsoft 
Visual C++ 4.2. If no appropriate statistical program 
exists in the statistical program library 303, the evalua- 
tion operator can form a desired statistical program 
under the environment provided by the statistical pro- 
gram library generating means 301 by using the basic 
calculation functions such as addition, subtraction, logi- 
cal operations, and mean calculations in the basic func- 
tion library 302, and add the formed program to the 
statistical program library 303. 

[0046] Referring back to Fig. 2, the evaluation object 
data group generating means 101 comprises an evalu- 
ation object program forming means 201, an interface 
function setting means 202, an evaluation condition set- 
ting means 203, and an evaluation object data group 
204. 

[0047] The evaluation object program forming means 
201 provides the evaluation operator with an environ- 
ment for forming an evaluation object program. 
[0048] The evaluation condition setting means 203 
provides the evaluation operator with an environment 
for setting items to be evaluated for an evaluation object 
program and the evaluation conditions such as a key 
and data widths. 

[0049] The interface function setting means 202 pro- 
vides the evaluation operator with an environment for 
setting an interface between an evaluation object pro- 
gram and statistical programs. As described earlier in 
the explanation of evaluation items, an evaluation object 
program is evaluated by using statistical programs, but 
the evaluation object program and the statistical pro- 
grams are formed separately. Therefore, an interface for 
exchanging data between the two kinds of programs 
must be prepared beforehand. The interface function 
setting means 202 allows the evaluation operator to 
form such an interface. 

[0050] The evaluation object program forming means 
201, the interface function setting means 202, and the 
evaluation condition setting means 203 described 
above can be realized by, e.g., Microsoft Visual C++ 4.2. 
[0051] As described above, in the evaluation object 
data group generating means 101 shown in Fig. 2, the 
encryption strength evaluation support apparatus itself 
is given the evaluation object program forming means 
201 . Consequently, it is possible to efficiently perform a 
series of operations of design evaluation correction 
reevaluation of an encryption algorithm. Additionally, the 
apparatus has the interface function setting means 202 
and the evaluation condition setting means 203. This 
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allows evaluation of arbitrary items of a formed evalua- 
tion object program. 

[0052] Fig. 4 is a block diagram showing the arrange- 
ment of the statistical data sampling program executing 
means 104. Fig. 5 is a block diagram showing the s 
arrangement of the statistical result edit/output means 
105. Fig. 6 is a flow chart showing the operation of the 
statistical evaluation system control means 103. Figs. 7 
to 10 are flow charts showing the operation of each 
means in the statistical data sampling program execut- 10 
ing means 104. The rest of the components will be 
described below with reference to these drawings. 
[0053] Referring first to Fig. 6, the statistical evaluation 
system control means 103 starts operating (step 601) 
and monitors inputs from an operator (step 602). An is 
input signal detected in this operator input monitoring 
can take any form provided that the signal can desig- 
nate the following control. For example, the signal form 
can be key input by an operator, input from a separately 
prepared operation panel, or information of a control 20 
signal from a certain control program. 
[0054] If input from the operator is detected in step 
S602, the statistical evaluation system control means 
1 03 checks the contents of control indicated by the input 
instruction (steps 603, 605, and 607). The contents of 25 
input control instruction from an operator are roughly 
classified into an instruction concerning statistical data 
sampling, an instruction concerning edit/output of statis- 
tical results, and an instruction directing end of the sta- 
tistical evaluation system control means 103 itself. The 30 
input instruction concerning statistical data sampling 
from an operator is one of an instruction directing start 
(restart) of sampling and an instruction directing inter- 
ruption of sampling. 

[0055] If the control instruction is about statistical data 35 
sampling (YES in step 603), the statistical evaluation 
system control means 103 issues control data to the 
statistical data sampling program executing means 104 
(step 604), and the flow returns to the operator input 
monitoring in step 602. If the input instruction concern- 40 
ing statistical data sampling from the operator indicates 
sampling start (restart) or sampling interruption, the sta- 
tistical evaluation system control means 103 issues 
control data indicating data sampling start or control 
data indicating data sampling end, respectively, to the 45 
statistical data sampling program executing means 104. 
[0056] If the control instruction is about edit/output of 
statistical results (YES in step 605), the statistical eval- 
uation system control means 103 issues control data to 
the statistical result edit/output means 105 (step 606), 50 
and the flow returns to the operator input monitoring in 
step 602. 

[0057] If the control instruction indicates end of the 
statistical evaluation system control means 103 itself 
(YES in step 607), the statistical evaluation system con- 55 
trol means 103 performs necessary end processes, 
e.g., issues control data indicating program operation 
end to the statistical data sampling program executing 



means 104, and ends itself (step 608). 
[0058] Referring to Fig. 4, the statistical data sampling 
program executing means 104 comprises a statistical 
data sampling program operation monitoring means 
403, a statistical data sampling program interrupt- 
ing/ending means 404, a statistical data sampling pro- 
gram generating/activating (restarting) means 405, and 
a statistical data sampling program 406. The statistical 
data sampling program generating/activating (restart- 
ing) means 405 generates and activates (restarts) the 
statistical data sampling program 406 under the control 
of the statistical data sampling program operation mon- 
itoring means 403. The statistical data sampling pro- 
gram interrupting/ending means 404 interrupts or ends 
the statistical data sampling program 406 under the 
control of the statistical data sampling program opera- 
tion monitoring means 403. The statistical data sam- 
pling program operation monitoring means 403 controls 
the statistical data sampling program generating/acti- 
vating (restarting) means 405 and the statistical data 
sampling program interrupting/ending means 404 and 
thereby controls the execution of the statistical data 
sampling program 406, under the control of the statisti- 
cal evaluation system control means 103 and in accord- 
ance with end information from the statistical data 
sampling program 406. 

[0059] Referring to Fig. 7, the statistical data sampling 
program operation monitoring means 403 starts operat- 
ing (step 701) and executes operations in steps 702 to 
708. First, the statistical data sampling program opera- 
tion monitoring means 403 waits for the reception of 
control data from the statistical evaluation system con- 
trol means 103 (step 702). If control data is detected, 
the statistical data sampling program operation monitor- 
ing means 403 checks the contents of control indicated 
by the control data (steps 703, 705, and 707). The con- 
trol data transmitted from the statistical evaluation sys- 
tem control means 103 is one of control data indicating 
data sampling start, control data indicating data sam- 
pling end, and control data indicating the end of the pro- 
gram operation. 

[0060] If the control data from the statistical evaluation 
system control means 103 indicates data sampling start 
(YES in step 703), the statistical data sampling program 
operation monitoring means 403 issues control data to 
the statistical data sampling program generating/acti- 
vating (restarting) means 405 (step 704), and the flow 
returns to step 702 to wait for the reception of control 
data from the statistical evaluation system control 
means 103. If the statistical data sampling program 406 
is not generated in step 704, the statistical data sam- 
pling program operation monitoring means 403 issues 
control data instructing the generation of a statistical 
data sampling program. If the statistical data sampling 
program 406 is already generated in step 704, the sta- 
tistical data sampling program operation monitoring 
means 403 issues control data instructing the activation 
of the statistical data sampling program. 
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[0061 ] If the control data from the statistical evaluation 
system control means 103 indicates data sampling end 
(YES in step 705), the statistical data sampling program 
operation monitoring means 403 issues control data 
instructing the interruption of the statistical data sam- 
pling program 406 to the statistical data sampling pro- 
gram interrupting/ending means 404 (step 706), and the 
flow returns to step 702 to wait for the reception of con- 
trol data from the statistical evaluation system control 
means 103. 

[0062] If the control data from the statistical evaluation 
system control means 103 indicates the end of the pro- 
gram operation (YES in step 707), the statistical data 
sampling program operation monitoring means 403 per- 
forms end processes, e.g., issues control data instruct- 
ing the end of the program operation to the statistical 
data sampling program generating/activating (restart- 
ing) means 405 and the statistical data sampling pro- 
gram interrupting/ending means 404, and ends itself 
after receiving end information from the statistical data 
sampling program 406 (step 708). 
[0063] Referring to Fig. 8, the statistical data sampling 
program generating/activating (restarting) means 405 
starts operating (step 801) and executes operations in 
steps 802 to 808. First, the statistical data sampling pro- 
gram generating/activating (restarting) means 405 waits 
for the reception of control data from the statistical data 
sampling program operation monitoring means 403 
(step 802). If the control data is detected, the statistical 
data sampling program generating/activating (restart- 
ing) means 405 checks the contents of control indicated 
by the control data (steps 803, 805, and 807). The con- 
trol data transmitted from the statistical data sampling 
program operation monitoring means 403 is one of con- 
trol data instructing the generation of the statistical data 
sampling program 406, control data instructing the acti- 
vation (restart) of the program 406, and control data 
instructing the end of the program operation. 
[0064] If the control data from the statistical data sam- 
pling program operation monitoring means 403 indi- 
cates the generation of the statistical data sampling 
program 406 (YES in step 803), the statistical data sam- 
pling program generating/activating (restarting) means 

405 generates the statistical data sampling program 

406 on the basis of the evaluation object data group 204 
in the evaluation object data group generating means 
101 and necessary statistical programs in the statistical 
program library 303 of the statistical program library 
generating means 102 (step 804). The statistical data 
sampling program generating/activating (restarting) 
means 405 activates the generated statistical data sam- 
pling program 406 (step 806), and the flow returns to 
step 802 to wait for the reception of control data from 
the statistical data sampling program operation monitor- 
ing means 403. 

[0065] If the control data from the statistical data sam- 
pling program operation monitoring means 403 indi- 
cates program activation (restart) (YES in step 805), the 



statistical data sampling program generating/activating 
(restarting) means 405 activates or restarts the statisti- 
cal data sampling program 406 (step 806), and the flow 
returns to step 802 to wait for the reception of control 
5 data from the statistical data sampling program opera- 
tion monitoring means 403. 

[0066] If the control data from the statistical data sam- 
pling program operation monitoring means 403 indi- 
cates the end of the program operation (YES in step 

10 807), the statistical data sampling program generat- 
ing/activating (restarting) means 405 performs neces- 
sary end processes and ends itself (step 808). 
[0067] Referring to Fig. 9, the statistical data sampling 
program interrupting/ending means 404 starts operat- 

15 ing (step 901) and executes operations in steps 902 to 
908. First, the statistical data sampling program inter- 
rupting/ending means 404 waits for the reception of 
control data from the statistical data sampling program 
operation monitoring means 403 (step 902). If the con- 

20 trol data is detected, the statistical data sampling pro- 
gram interrupting/ending means 404 checks the 
contents of control indicated by the control data (steps 
903 and 905). The control data transmitted from the sta- 
tistical data sampling program operation monitoring 

25 means 403 is one of control data instructing the inter- 
ruption of the statistical data sampling program 406 and 
control data instructing the end of the program opera- 
tion. 

[0068] If the control data from the statistical data sam- 

30 pling program operation monitoring means 403 indi- 
cates the interruption of the statistical data sampling 
program 406 (YES in step 903), the statistical data sam- 
pling program interrupting/ending means 404 edits data 
sampled and held up to the point in an internal memory 

35 by the statistical data sampling program 406 into the 
form of intermediate data storable in the statistical result 
storage means 106, stores the intermediate data in the 
statistical result storage means 106, and, if necessary, 
displays various messages to the operator (step 904). 

40 Also, the statistical data sampling program interrupt- 
ing/ending means 404 issues control data instructing 
the interruption to the statistical data sampling program 
406 (step 907). The flow then returns to step 902 to wait 
for the reception of control data from the statistical data 

45 sampling program operation monitoring means 403. 
[0069] If the control data from the statistical data sam- 
pling program operation monitoring means 403 indi- 
cates the end of the program operation (YES in step 
905), the statistical data sampling program interrupt- 

50 ing/ending means 404 performs end processes, e.g., 
issues control data instructing the program end to the 
statistical data sampling program 406 (step 906) and 
ends itself (step 908). 

[0070] Referring to Fig. 10, the statistical data sam- 
55 pling program 406 starts operating after being gener- 
ated and activated by the statistical data sampling 
program generating/activating (restarting) means 405 
(step A01), and executes operations in steps A02 to 
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A09. 

[0071 ] First, the statistical data sampling program 406 
detects control data reception (step A02). If the statisti- 
cal data sampling program 406 detects control data 
from the statistical data sampling program interrupt- 
ing/ending means 404 within a predetermined time in 
step A02 and the detected data indicates program inter- 
ruption or end (steps A03 or A05), the flow advances to 
step A04 or A06, respectively. If the statistical data sam- 
pling program 406 detects control data instructing acti- 
vation (restart) from the statistical data sampling 
program generating/activating (restarting) means 405 
or does not detect anything, the flow advances to step 
A07. 

[0072] In step A07, the statistical data sampling pro- 
gram 406 generates evaluation data. The statistical 
data sampling program 406 executes an evaluation 
object program by using this evaluation data (step A08). 
The statistical data sampling program 406 collects sta- 
tistical data, temporarily stores the collected data in the 
internal memory, and then stores the data in the statisti- 
cal result storage means 106 at a predetermined timing 
(step A09). That is, a statistical program incorporated as 
a part of the statistical data sampling program gener- 
ates the evaluation data and collects and stores the sta- 
tistical data. The evaluation data generated by this 
statistical program is passed on to an evaluation object 
program incorporated as a part of the statistical data 
sampling program, thereby generating output data. The 
statistical program calculates statistical data from the 
output data and evaluation data. If a plurality of evalua- 
tion items are set, the statistical data sampling program 
406 samples statistical data in steps A07 to A09 in the 
evaluation item order designated by the evaluation con- 
ditions. Whenever a predetermined amount of statistical 
data is sampled for each evaluation item, the flow once 
returns to the control data reception detection in step 
A02. If no control data is detected within the predeter- 
mined time in step A02, the statistical data sampling 
program 406 executes steps A07 to A09 to continue the 
sampling of remaining statistical data. 
[0073] If the control data detected in step A02 indi- 
cates the interruption of the statistical data sampling 
program (YES in step A03), the statistical data sampling 
program 406 edits program restart information, neces- 
sary to restart a program for an evaluation item proc- 
essed up to the point in steps A07 to A09, into the form 
of intermediate data storable in the statistical result stor- 
age means 106 (step A04), and the flow returns to the 
control data reception detection in step A02. If no con- 
trol data is detected within the predetermined time in 
step A02 and any uninterrupted evaluation items still 
exist, the statistical data sampling program 406 exe- 
cutes steps A07 to A09 for the next evaluation item. If all 
evaluation items are interrupted, the statistical data 
sampling program 406 keeps waiting for control data 
directing the restart of the program operation. If the con- 
trol data is detected, the flow advances to step A07, and 



the statistical data sampling program 406 restarts the 
processing for en evaluation item interrupted earliest 
from the timing of the interruption. 
[0074] If the control data detected in step A02 indi- 
5 cates end (YES in step AOS), the statistical data sam- 
pling program 406 performs necessary end processes, 
e.g., informs the statistical data sampling program oper- 
ation monitoring means 403 of the end, and ends itself 
(step A06). 

10 [0075] Referring back to Fig. 5, the statistical result 
edit/output means 105 comprises a numerical process- 
ing means 503, a table form numerical data edit/output 
means 505, and a multi-dimensional graph edit/output 
means 506. 

is [0076] The table form numerical data edit/output 
means 505 edits the statistical data stored in the statis- 
tical result storage means 106, i.e., the statistical data 
indicating the correlations between individual bits of 
input and output data of an encryption program to be 

20 evaluated, into the form of a table and outputs the table 
to a display device or a printer. 

[0077] The multi-dimensional graph edit/output means 
506 edits the statistical data stored in the statistical 
result storage means 106 into the form of a two- or 
25 three-dimensional graph and outputs the graph to the 
display device or printer. 

[0078] The numerical processing means 503 controls 
the table form numerical data edit/output means 505 
and the multi-dimensional graph edit/output means 506 

30 in accordance with control data from the statistical eval- 
uation system control means 103. The numerical 
processing means 503 also performs numerical 
processing for the statistical data stored in the statistical 
result storage means 106 to calculate basic statistical 

35 amounts such as a mean, maximum, minimum, vari- 
ance, and standard deviation. These calculated basic 
statistical amounts are also output together with tables 
and the like. 

[0079] The operation of the encryption strength eval- 
40 uation support apparatus according to this embodiment 
will be described in detail below by taking a practical 
encryption program as an example. Note that the oper- 
ation will be described in the following order. 

45 (1) Preparation 

(a) Preparation of statistical program library 

(b) Preparation of evaluation object data group 

so (2) Sampling of statistical data 

(a) Generation and activation of statistical data 
sampling program 

(b) Interruption of statistical data sampling pro- 
55 gram 

(c) Restart of statistical data sampling program 

(3) Output of statistical data 
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(4) End 
(1) Preparation 

[0080] To evaluate encryption strength, it is necessary 
to prepare the evaluation object data group 204 contain- 
ing an evaluation object program and the like and the 
statistical program library 303 containing necessary sta- 
tistical programs. If these data group and library are 
already prepared, this step can be omitted. 

(a) Preparation of statistical program library 

[0081 ] If no necessary statistical programs exist in the 
statistical program library 303, the evaluation operator 
activates the statistical program library generating 
means 301 . Under the environment provided by the sta- 
tistical program library generating means 301 , the oper- 
ator forms desired statistical programs by using the 
basic calculation functions such as addition, subtrac- 
tion, logical operations, and mean calculations in the 
basic function library 302, and adds the formed pro- 
grams to the statistical program library 303. In the fol- 
lowing explanation, it is assumed that statistical 
programs for bit balance, output bit relation, input bit- 
output bit relation, and avalanche are formed and stored 
in the statistical program library 303. 

(b) Preparation of evaluation object data 

[0082] An evaluation object program is formed by 
using the evaluation object program forming means 
201. An interface between the evaluation object pro- 
gram and the statistical programs is set by using the 
interface function setting means 202. Evaluation condi- 
tions are set by using the evaluation condition setting 
means 203. 

[0083] Fig. 1 1 shows an evaluation object program 
formed by using Microsoft Visual C++ 4.2. This evalua- 
tion object program describes an encryption algorithm 
which exclusive-ORs text and a masterkey to form a 
cipher. 

[0084] Fig. 12 shows evaluation conditions formed by 
using Microsoft Visual C++ 4.2. Referring to Fig. 12, 
four items of avalanche, bit balance, input bit-output bit 
relation, and output bit relation are designated, in the 
form of declaration of a common external function, as 
evaluation items to be sampled. Subsequently, the fol- 
lowing items are designated in the form of external var- 
iable declaration: a key random number seed, input 
data random number seed, key bit length, input data 
block bit length, output data block bit length, key change 
count indicating the count of input data by which the key 
is changed, data change count indicating the count of 
changes of input data for one key, keyboard input moni- 
toring interval indicating the interval of keyboard input 
monitoring in terms of count of calculations, and auto- 
matic save interval indicating the interval of save of a 



calculation result into the statistical result storage 
means 106 in terms of count of calculations. In addition, 
an evaluation object program is designated in the form 
of external function declaration. 

5 [0085] Fig. 13 shows settings of interface functions, 
formed by using Microsoft Visual C++ 4.2, between the 
evaluation object programs and the statistical programs. 
Referring to Fig. 13, a total of four functions, i.e., ava- 
lanche();, iorelationO;, relation();, and balance();, are 

w described as statistical evaluation main functions. All of 
these functions are statistical programs and stored in 
the statistical program library 303. These statistical 
evaluation main functions are executed in order of 
description. Each statistical evaluation main function is 

is set in the key and data pass-on areas designated by the 
common external function shown in Fig. 12 by generat- 
ing the key and the input data by using the key random 
number seed and the input data random number seed 
designated by the external variable declaration shown 

20 in Fig. 1 2. The bit lengths of the generated key and input 
data correspond to the key bit length and the input data 
block bit length shown in Fig. 12. Also, key and input 
data to be generated are changed in accordance with 
the key change count and the data change count shown 

25 in Fig. 12. 

[0086] Other functions described in the interface 
shown in Fig. 13 are a function of receiving a key from 
the statistical evaluation function and passing on the 
key to the evaluation object program, a function of 

30 receiving and saving input data from the statistical eval- 
uation function, calling the evaluation object program, 
and obtaining output data from the program, and a func- 
tion of saving the obtained output data. On the basis of 
these saved input and output data, the statistical evalu- 

35 ation function calculates statistical data and finally out- 
puts the calculated data to the statistical result storage 
means 106. 

(2) Sampling of statistical data 

40 

(a) Generation and activation of statistical data sam- 
pling program 

[0087] When the operator instructs sampling of statis- 
45 tical data, the statistical evaluation system control 
means 103 detects the instruction (step 603 in Fig. 6) 
and sends control data instructing data sampling start to 
the statistical data sampling program executing means 
104 (step 604). 

so [0088] The statistical data sampling program opera- 
tion monitoring means 403 of the statistical data sam- 
pling program executing means 104 detects the control 
data directing data sampling start (step 703 in Fig. 7). 
Since the statistical data sampling program 406 has not 

55 been formed yet, the statistical data sampling program 
operation monitoring means 403 issues control data 
directing program generation to the statistical data sam- 
pling program generating/activating (restarting) means 
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405 (Step 704). 

[0089] The statistical data sampling program generat- 
ing/activating (restarting) means 405 detects the control 
data instructing program generation (step 803 in Fig. 8). 
The statistical data sampling program generating/acti- s 
vating (restarting) means 405 receives the evaluation 
object data group 204 prepared in the evaluation object 
data group generating means 101 and necessary pro- 
grams from the statistical program library 303 prepared 
in the statistical program library generating means 102, 10 
and generates the statistical data sampling program 

406 which performs the operation as shown in Fig. 10 
(step 804). When this statistical data sampling program 
406 is generated, the evaluation object program as 
shown in Fig. 11 is linked to the interface functions as 15 
shown in Fig. 13 and to the statistical programs in the 
statistical program library 303, thereby generating one 
executable program. Then, the statistical data sampling 
program generating/activating (restarting) means 405 
activates the generated statistical data sampling pro- 20 
gram 406 (step 806). 

[0090] The statistical data sampling program 406 thus 
generated and activated generates evaluation data for a 
first evaluation item (step AO 7), executes the evaluation 
object program by using the generated evaluation data 25 
as input data (step A08), and collects and stores statis- 
tical data on the basis of the evaluation data and output 
data from the evaluation object program (step A09). In 
Fig. 13, the statistical evaluation main functions are 
described in the order of avalancheO;, iorelationO;, rela- so 
tionO;, and balance();. Accordingly, the statistical data 
are collected and saved in the order of avalanche eval- 
uation data, input bit-output bit relation data, output bit 
relation data, and balance data. 

[0091] The data collection of each evaluation item is 35 
continuously performed each time the count of calcula- 
tions designated by the keyboard input monitor interval 
shown in Fig. 12 is reached. Whenever the designated 
count of calculations is reached, the flow once returns 
to the detection of control data reception in step A02. If 40 
no interruption is designated within a predetermined 
time, the rest of the calculation is restarted. The col- 
lected statistical data of the individual evaluation items 
are finally stored in the statistical result storage means 
106 in units of evaluation items. 45 

(b) Interruption of statistical data sampling program 

[0092] The operator can interrupt processing for an 
evaluation item currently being executed and start 50 
processing for the next evaluation item by designating 
interruption of statistical data sampling. 
[0093] When the operator instructs sampling interrup- 
tion, the statistical evaluation system control means 103 
detects the instruction (step 603 in Fig. 6) and issues 55 
control data instructing data sampling end to the statis- 
tical data sampling program executing means 104 (step 
604). 



[0094] The statistical data sampling program opera- 
tion monitoring means 403 of the statistical data sam- 
pling program executing means 106 detects this control 
data instructing data sampling end (step 705 in Fig. 7) 
and issues control data instructing interruption of the 
program to the statistical data sampling program inter- 
rupting/ending means 404 (step 706). 
[0095] The statistical data sampling program interrupt- 
ing/ending means 404 detects the control data directing 
program interruption (step 903 in Fig. 9). The statistical 
data sampling program interrupting/ending means 404 
edits data sampled and held up to the point in the inter- 
nal memory into the form of intermediate data storable 
in the statistical result storage means 106, stores the 
intermediate data in the statistical result storage means 
106, and, if necessary, displays various messages to 
the operator (step 904). After that, the statistical data 
sampling program interrupting/ending means 404 
issues control data directing the interruption to the sta- 
tistical data sampling program 406 (step 907). 
[0096] The statistical data sampling program 406 
detects the control data instructing the interruption (step 
A03 in Fig. 10), edits program restart information neces- 
sary to restart the program next time into the form of 
intermediate data storable in the statistical result stor- 
age means 106, and stores the intermediate data (step 
A04). The flow then returns to the detection of control 
data reception in step A02. If no control data is detected 
within a predetermined time in step A02, the statistical 
data sampling program 406 executes steps A07 to A09 
for the next evaluation item. 

(c) Restart of statistical data sampling program 

[0097] If processing for all evaluation items is inter- 
rupted, the operator can restart processing for an inter- 
rupted evaluation item from the timing of interruption by 
instructing the restart of statistical data sampling. 
[0098] When the operator instructs sampling restart, 
the statistical evaluation system control means 103 
detects the instruction (step 603 in Fig. 6) and sends 
control data instructing data sampling start to the statis- 
tical data sampling program executing means 104 (step 
604). 

[0099] The statistical data sampling program opera- 
tion monitoring means 403 of the statistical data sam- 
pling program executing means 104 detects the control 
data instructing data sampling start (step 703 in Fig. 7) 
and issues control data instructing program activation 
(restart) to the statistical data sampling program gener- 
ating/activating (restarting) means 405 (step 704). 
[01 00] The statistical data sampling program generat- 
ing/activating (restarting) means 405 detects the control 
data directing program activation (restart) (step 805 in 
Fig. 8) and issues control data directing activation 
(restart) to the statistical data sampling program 406 
(step 806). 

[0101] The statistical data sampling program 406 
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detects the control data directing activation (restart) 
(NO in step A05 of Fig. 10) and continues the operation 
by using program restart information stored in the statis- 
tical result storage means 106 at the timing of interrup- 
tion and necessary to restart the program next time. 
That is, the statistical data sampling program 406 keeps 
generating evaluation data, executing the evaluation 
object program, and collecting and storing data (steps 
A07, A08, and A09). The evaluation item restarted at 
that point is an evaluation item interrupted earliest. 
[0102] In this embodiment as described above, it is 
possible to interrupt processing for an evaluation item 
currently being executed and process the next evalua- 
tion item. This function is convenient to interrupt 
processing for a certain evaluation item and preferen- 
tially process the next evaluation item, since collecting 
statistical data pertaining to one evaluation item takes a 
certain time. To make this function more practical, it is 
also possible to give the statistical data sampling pro- 
gram executing means 104 a function of calculating and 
displaying the current count and percentage of execu- 
tion, execution count/sec, remaining time, and predicted 
value of the completion time, for an evaluation item cur- 
rently being executed. With this function, the evaluation 
operator can obtain a certain standard indicating 
whether interruption is preferable. 
[0103] Fig. 14 shows the status of execution of a sta- 
tistical data sampling program displayed on the display 
device. Referring to Fig. 14, an operation is instructed 
from the keyboard, i.e., activation (restart) is instructed 
by inputting an encript command, and interruption is 
designated by pressing the [ESC] key. Also, when the 
operator presses the [SPACE] key, the current count 
and percentage of execution, execution count/sec, 
remaining time, and predicted value of the completion 
time are displayed for an evaluation item currently being 
executed. In Fig. 14, when the encript command is input 
an avalanche evaluation start message is displayed 
together with the present date and time. Since the 
[SPACE] key is pressed after that, the current count 
(percentage) of execution (execution count/sec), 
remaining time, and predicted value of the completion 
time are displayed for the avalanche evaluation item 
currently being executed. Subsequently, the [ESC] key 
is pressed, so a message indicating that the avalanche 
evaluation is interrupted, the intermediate results are 
saved, and a process of evaluating the input bit-output 
bit relation is started is displayed. 

(3) Output of statistical data 

[0104] When the operator designates a predeter- 
mined item such as an edit form and designates edit 
and output of statistical data, the statistical evaluation 
system control means 103 detects this designation 
(step 605 in Fig. 6) and issues necessary control data to 
the statistical result edit/output means 105 (step 606). 
The numerical processing means 503 of the statistical 



result edit/output means 105 receives and analyzes the 
control data and performs necessary control. 
[01 05] For example, if the operator instructs to display 
the basic statistical amounts and sampled data of a cer- 

5 tain evaluation item in the form of a table, the numerical 
processing means 503 reads out the statistical data of 
the evaluation item from the statistical result storage 
means 106. The numerical processing means 503 then 
calculates basis statistical amounts such as a mean, 

10 maximum, minimum, variance, and standard deviation 
and informs the table form numerical data edit/output 
means 505 of these calculated basic statistical amounts 
and the readout statistical data. The table form numeri- 
cal data edit/output means 505 edits the informed statis- 

15 tical data into the form of a predetermined table and 
outputs the table together with the informed basic statis- 
tical amounts to the display device or printer. For exam- 
ple, Microsoft Excel 97 can be used to form a table. 
[0106] Fig. 15 shows a table edited and output by 

20 using Microsoft Excel 97. In Fig. 15, a portion denoted 
by reference numeral 1501 is a table of statistical data 
indicating the correlations between individual bits of 
input and output data of an encryption device to be eval- 
uated. This data is avalanche evaluation data. Numerals 

25 0,1,2 described in the row and column directions of 

this table indicate bits of one of input and output data 
and bits of the other data. A numerical value at each 
intersection indicates [count of inversion - count of non- 
inversion] of a specific output bit when a specific input 

30 bit is inverted. A portion denoted by reference numeral 
1502 indicates basic statistical amounts, i.e., a mean, 
maximum, minimum, variance, standard deviation and 
95% confidence interval are output. Note that "value", 
"xSD", "deviation", and "width" indicate the value, (value 

35 - mean) a , deviation ratio, and width, respectively. In 
addition, the table describes random number seeds of 
key and input data, scheduled all data count, and fin- 
ished all data count. 

[01 07] In the table of avalanche evaluation data shown 

40 in Fig. 1 5, a large positive numerical value indicates that 
the corresponding input and output bits have high corre- 
lation, and a large negative value indicates that the cor- 
responding input bit does not contribute to scrambling 
the data, both of which means a bad property. If data 

45 scrambling is uneven as in this case, the algorithm may 
be decoded by attack using selective difference or the 
like; this algorithm is weak. On the other hand, a numer- 
ical value whose absolute value is small indicates that 
the probability of an output bit being inverted when the 

50 corresponding input bit is inverted is close to 0.5, so the 
scrambling performance is high. Accordingly, the larger 
the ratio of numerical values with small absolute values, 
the higher the encryption strength. Conventional statis- 
tical methods evaluate algorithms on the basis of basic 

55 statistical amounts. However, a mean value, for exam- 
ple, approaches 0 even if a large positive or negative 
numerical value exists, and this may cause an evalua- 
tion error. Additionally, the correlation between a spe- 
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cific input bit and a specific output bit cannot be 
checked, so the behavior of encryption conversion can- 
not be finely analyzed. In contrast, table form display 
allows fine analysis of the behavior of encryption con- 
version and makes accurate evaluation feasible. Fur- 
thermore, different encryption algorithms can be easily 
compared by comparing tables of different evaluation 
object programs. This applies to evaluation items such 
as an input bit-output bit relation as well as to avalanche 
evaluation. 

[0108] In this embodiment, statistical data indicating 
the correlations between individual bits of input and out- 
put data of an encryption device can also be edited and 
output in the form of a two- or three-dimensional graph. 
Examples of the two-dimensional graph are a line graph 
and a contour graph, and an example of the three- 
dimensional graph is a 3D contour graph. The statistical 
evaluation system control means 103 displays, e.g., a 
"draw graph" dialogue box as shown in Fig. 16 on the 
screen of the display device to allow easy designation of 
the type of graph. Referring to Fig. 16, five types of 
graphs, i.e., a line graph (series: row), line graph 
(series: column), contour graph, 3D contour graph, and 
3D contour graph (inverted) are prepared. The operator 
can easily designate the type of graph to be edited by 
selecting the OK button. 

[01 09] The statistical evaluation system control means 
103 informs the statistical result edit/output means 105 
of data indicating the type of graph designated by an 
operator. When the type of graph to be edited is desig- 
nated for a certain evaluation item, the numerical 
processing means 105 reads out statistical data of the 
corresponding evaluation item and transfers the readout 
data to the multi-dimensional graph edit/output means 
506 while designating the type of graph. 
[01 10] In accordance with the designated graph type, 
the multi-dimensional graph edit/output means 506 
draws a graph of statistical data on a new graph sheet 
of, e.g., Microsoft Excel 97 and outputs the graph to the 
display device or printer. 

[0111] Figs. 17A to 17E show examples of different 
types of graphs. That is, Figs. 1 7A, 1 7B, 1 7C, 1 7D, and 
17E show a 3D contour graph, 3D contour graph 
(inverted), contour graph, line graph (series: row), and 
line graph (series: column), respectively. 
[01 1 2] The 3D contour graph shown in Fig. 1 7A draws 
the correlations between individual bits of input and out- 
put data as "mountains", "valleys", and "fields". In the 
case of avalanche evaluation data, for example, the 
input bit is plotted on the X axis, the output bit is plotted 
on the Y axis, and "count of inversion - count of non- 
inversion" is plotted on the Z axis. The graph is drawn 
such that the larger the value of [count of inversion - 
count of non-inversion] in the positive direction the 
higher the "mountains", the larger the value in the neg- 
ative direction the deeper the "valleys", and the closer 
the value to 0 the closer the "mountains" and "valleys" to 
the "fields". Accordingly, a high mountain means that 



the corresponding input and output have a high correla- 
tion, and a deep valley means that the correlation is 
extremely low, both of which wean a bad property. On 
the other hand, a field indicates that the probability of an 

5 output bit being inverted when an input bit is inverted is 
close to 0.5, meaning a good property. A 3D contour 
graph like this allows the operator to intuitively, quickly, 
and thoroughly survey even details of the behavior of a 
whole encryption algorithm to be evaluated. The opera- 

10 tor can also easily compare different encryption algo- 
rithms by comparing 3D contour graphs of a plurality of 
evaluation object programs. 

[01 13] The 3D contour graph (inverted) shown in Fig. 
17B is formed by inverting the mountains and valleys in 

15 the 3D contour graph shown in Fig. 17A. This graph 
allows the operator to observe the details of valleys that 
are difficult to see in a 3D contour graph. The contour 
graph shown in Fig. 17C shows the 3D contour graph in 
Fig. 17A when viewed in a direction ® in Fig. 17A. 

20 Referring to Fig. 1 7C, fields are drawn thinly, and moun- 
tains are drawn thickly. Fig. 17D is a graph showing a 
given section of the 3D contour graph in Fig. 1 7A when 
viewed in a direction ® in Pig. 17A. Fig. 17E is a graph 
showing a given section of the 3D contour graph in Fig. 

25 17A when viewed in a direction @ in Fig. 17A. Each 
graph helps observe the 3D contour graph in more 
detail. 

[0114] In this embodiment as described above, the 
correlations between individual bits of input and output 
30 data of an encryption device can be displayed as vari- 
ous graphs such as a 3D contour graph. Consequently, 
details of the behavior of encryption conversion can be 
finely and extremely easily analyzed. This allows accu- 
rate evaluation feasible. 

35 

(4) End 

[01 1 5] When the operator instructs end, the statistical 
evaluation system control means 103 detects this 

40 instruction (step 607 in Fig. 6). The statistical evaluation 
system control means 103 sends control data instruct- 
ing end of the program operation to the statistical data 
sampling program executing means 104 and ends its 
own operation (step 608). 

45 [0116] The statistical data sampling program opera- 
tion monitoring means 403 of the statistical data sam- 
pling program executing means 106 detects the control 
data instructing end of the program operation (step 707 
in Fig. 7), and issues control data instructing end of the 

so program operation to the statistical data sampling pro- 
gram interrupting/ending means 404 and the statistical 
data sampling program generating/activating (restart- 
ing) means 405. If the statistical data sampling program 
406 issues information, the statistical data sampling 

55 program operation monitoring means 403 ends its own 
operation (step 708). 

[01 1 7] The statistical data sampling program generat- 
ing/activating (restarting) means 405 detects the control 
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data directing end of the program operation (step 807 in 
Fig. 8) and ends its own operation (step 808). Also, the 
statistical data sampling program interrupting/ending 
means 404 detects the control data directing end of the 
program operation (step 905 in Fig. 9), issues control 
data directing the end to the statistical data sampling 
program 406 (step 906), and ends its own processing 
(step 908). 

[0118] The statistical data sampling program 406 
detects the control data instructing the end (YES in step 
AOS of Fig. 10), informs the statistical data sampling 
program operation monitoring means 403 of the end, 
and ends its own operation (step A06). 
[01 19] Fig. 1 8 is a block diagram showing the arrange- 
ment of another embodiment of the encryption strength 
evaluation support apparatus according to the present 
invention. The encryption strength evaluation support 
apparatus of this embodiment comprises a computer 
main body 1801 including, e.g., a central processing 
unit and a memory, and a CRT 1802, keyboard 1803, 
mouse 1804, magnetic disk drive 1805, and recording 
medium 1806 connected to this computer main body 
1801. The recording medium 1806 is a mechanically 
readable recording medium such as a CD-ROM, mag- 
netooptical disk, or semiconductor memory, and 
records an encryption strength evaluation support pro- 
gram. The encryption strength evaluation support pro- 
gram recorded in the recording medium 1806 is loaded 
into the computer main body 1801 to control the opera- 
tion of the computer main body 1801. In this way the 
encryption strength evaluation support program imple- 
ments an evaluation object data group generating 
means 101, a statistical program library generating 
means 102, a statistical evaluation system control 
means 103, a statistical data sampling program execut- 
ing means 104, and a statistical result edit/output 
means 105 shown in Figs. 1 to 5 on the computer main 
body 1801. Note that a statistical result storage means 
106 shown in Fig. 1 is implemented by the magnetic 
disk drive 1805. 

[0120] The embodiments of the present invention 
have been described above. However, the present 
invention is not limited to the above embodiments, and 
various additions and changes of the invention are pos- 
sible. For example, if the encryption algorithm of an 
encryption device to be evaluated is unknown, it is also 
possible to calculate the correlation between each bit of 
input data and each bit of output data of the encryption 
device from data sequences of the input and output 
data. If this is the case, an evaluation object data group 
is formed by the data sequences of the input and output 
data of the encryption device, and each evaluation item 
data is sampled from these data sequences. 

Claims 

1 . An encryption strength evaluation support appara- 
tus characterized by comprising: 



statistical data sampling program executing 
means for statistically obtaining correlations 
between individual bits of input and output data 
of an encryption device to be evaluated; 

5 statistical result storage means for storing the 

bit correlations obtained by said statistical data 
sampling program executing means; and 
statistical result edit/output means for editing 
and/or outputting the bit correlations stored in 

10 said statistical result storage means in the form 

of a table or a two- or three-dimensional graph. 

2. An apparatus according to claim 1 , characterized 
by further comprising evaluation object program 

15 forming means for forming an encryption program 
to be evaluated, 

wherein said statistical data sampling program exe- 
cuting means statistically obtains correlations 
between individual bits of input and output data of 
20 the evaluation object program formed by said eval- 
uation object program forming means. 

3. An apparatus according to claim 1 , characterized 
by further comprising: 

25 

statistical program library means for holding, 
for each predetermined evaluation item, a sta- 
tistical program for calculating data necessary 
to evaluate the evaluation item; and 

30 evaluation object data group generating means 

having evaluation object program forming 
means for forming an encryption program to be 
evaluated, evaluation condition setting means 
for setting evaluation conditions, and interface 

35 function setting means for setting an interface 

between the evaluation object program formed 
by said evaluation object program forming 
means and the statistical programs, said evalu- 
ation object data group generating means hold- 

40 ing an evaluation object data group including 

the formed evaluation object program and the 
set evaluation conditions and interface, 
wherein said statistical data sampling program 
executing means comprises statistical data 

45 sampling program generating/activating 

(restarting) means for generating a statistical 
data sampling program for statistically obtain- 
ing correlations between individual bits of input 
and output data of the evaluation object pro- 

50 gram from the evaluation object data group and 

the statistical programs in said statistical pro- 
gram library means. 

4. An apparatus according to claim 3, characterized in 
55 that said statistical program library means com- 
prises a basic function library of basic functions 
such as addition, subtraction, and logical opera- 
tions, and statistical program library generating 
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means for generating a statistical program to be 
added to a statistical program library by using the 
basic functions of said basic function library. 

5. An apparatus according to any one of claims 1 to 4, s 
characterized in that said statistical data sampling 
program executing means comprises means for 
sequentially collecting statistical data for a plurality 

of evaluation items. 

10 

6. An apparatus according to claim 5, characterized in 
that said statistical data sampling program execut- 
ing means has a function of interrupting processing 
for an evaluation item currently being executed and 
processing the next evaluation item in accordance is 
with an instruction from a user. 

7. An apparatus according to claim 6, characterized in 
that said statistical data sampling program execut- 
ing means has a function of restarting processing 20 
for an evaluation item interrupted in accordance 
with an instruction from a user. 

8. A mechanically readable recording medium record- 
ing an encryption strength evaluation support pro- 25 
gram which allows a computer to function as: 

statistical data sampling program executing 
means for statistically obtaining correlations 
between individual bits of input and output data so 
of an encryption device to be evaluated; 
statistical result storage means for storing the 
bit correlations obtained by said statistical data 
sampling program executing means; and 
statistical result edit/output means for editing 35 
and/or outputting the bit correlations stored in 
said statistical result storage means in the form 
of a table or a two- or three-dimensional graph. 



15 



EP 0 932 272 A2 



FIG. 1 



101 

<L_ 

EVALUATION OBJECT 
DATA GROUP GENER- 
ATING MEANS 



103 

Z 



STATISTICAL EVAL- 
UATION SYSTEM 
CONTROL MEANS 



105 

z_ 



STATISTICAL 
RESULT EDIT/OUT- 
PUT MEANS 



102 



STATISTICAL 
PROGRAM 
LIBRAY MEANS 



STATISTICAL DATA 
SAMPLING PROGRAM 
EXECUTING MEANS 



0 



106 



STATISTICAL 
RESULT STORAGE 
MEANS 



-104 



16 



EP 0 932 272 A2 



FIG. 2 
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FIG. 3 
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FIG. 4 
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FIG. 5 
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FIG. 6 
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FIG. 7 
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FIG. 10 
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/ * ENCRYPTION ALGORITHM SOURCE FILE * / 

/ * EOR MASTERKEY AND TEXT TO FORM CIPHER (32bitstolock) * / 

unsigned int masterkey; 

void encript (unsigned int * test, unsigned int * cipher) 

{ 

* cipher = *text A masterkey; 
} 
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FIG. 12 



♦ include <conio.h> 

/ * USER-DEFINED TYPE NAME * / 
typedef unsigned int uint; 
typedef unsigned char uchar; 

/* COMMON EXTERNAL FUNCTION */ 

void fkeyBlk(const uchar *); 

void fDatBlk(const uchar *, uchar *); 

extern void avalance(void); 

extern void balance (void); 

extern void iorelation(void); 

extern void relation(void); 

/♦EXTERNAL VARIABLE DECLARATION */ 

uint dKeySeed = 97051 50; / * KEY RANDOM NUMBER SEED * / 

uint dDatSeed = 97051 51 ; / * INPUT DATA RANDOM NUMBER SEED * / 

uint dKeyBit = 32; /* KEY BR" LENGTH */ 

uint dlnBit = 32; / * INPUT DATA BLOCK BIT LENGTH * / 

uint dOutBit = 32; / * OUTPUT DATA BLOCK BIT LENGTH * / 

uintdKeyCnt = 6; / * KEY CHANGE COUNT : CHANGE 2 * { dKeyatCnt) TIMES */ 

uint dDatCnt = 1 7; / * DATA CHANGE COUNT ; CHANGE 2 " ( dDatCnt) TIMES FOR ONE KEY * / 

uint dKbCnt =12;/* KEYBOARD INPUT MONITORING INTERVAL = 

MONITOR WHENEVER CALCULATION IS PERFORMED 2 * (dKbCnt) TIMES * / 
uint dSavCnt = 31 ; / * AUTOMATIC SAVE INTERVAL = 

SAVE WHENEVER CALCULATION IS PERFORMED 2 * (dSavCnt) TIMES * / 

/ * EXTERNAL FUNCTION DECLARATION * / 

extern void encript(unsigned int * , unsigned int * ); 
extern int key; 



27 



EP 0 932 272 A2 



FIG. 13 



/*************** 

*main() STATISTICAL EVALUATION MAIN FUNCTION 

***************/ 

void main(void) 

{ 

/ * CALL STATISTICAL EVALUATION FUNCTION * / 

avalanche( );/ * EXECUTE AVALANCHE EVALUATION 

ioreiation( );/ * EXECUTE INPUT BIT-OUPUT BIT RELATION EVALUATION 

relation( );/ * EXECUTE OUTPUT BIT RELATION EVALUATION 

balance( );/ * EXECUTE BALANCE EVALUATION 

} 

/****************** 

*fKeyBlk() RECEIVE AND PROCESS KEY 
******************/ 
void fKeyBlk(const uchar *inkey) 

{ 

masterkey = inkey [0] «24 I inkey [1]«16 I inkey [2] «8 I inkey [3]; 
} 

/* *************************** 

* fDatBlk( ) RECEIVE DATA AND FORM EVALUATION OBJECT DATA 
****************************/ 

void fDatBlk(const uchar * indat, uchar *outdat) 
{ 

uint text, cipher; / * DEFINE INPUT/OUTPUT WORK VARIABLE * / 

/ * COPY CONTENTS OF indat [ ] TO INPUT WORK VARIABLE * / 

text = Indat [0] «24 I indat [1] «16 I indat [2] «8 I indat [3] ; 

/ * CALL EVALUATION OBJECT * / 
encript (&text, Scipher); 

/ * COPY OUTPUT RESULTS TO outdat [ ] * / 
outdat [0] = cipher»24; 
outdat [1] = cipher»1 6; 
outdat [2] = cipher»8; 
outdat [3] = cipher; 
} 
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B:¥Temp>encript 

Avalanche(V4.0) test start! Fri Aug 08 1 4:46:28 1 997 
Avalanche(V4.0) Fri Aug 08 14:46:37 1997 

count = 2 A 14.322(0.24%. 2276rps)-> [+1 :01 :17] Fri Aug 08 15:47:54 1997 
SAVE: ava.sav RESULT: ava_last_xls 

Input/Output bit Relation (V4.0) test start! Fri Aug 08 14:46:43 1997 



B:¥Temp>encript 

Avalanche(V4.0) test start! Fri Aug 08 14:47:40 1997 
RESUME: ava. sav 
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FIG. 16 
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FIG. 17B 
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